On Mon, Jun 15, 2015 at 12:07 PM, Paul Wouters <paul@xxxxxxxxx> wrote: > On Mon, 15 Jun 2015, Stephen John Smoogen wrote: > >> Is the code on how ChromeOS or Android detects captivity part of the >> 'public' code? It seems to do a 'good' job in finding many captive >> portals so might be something to get an idea on how many weird ways >> things are out there. > > > I think everyone does it similarly. Apple, Google, etc. > > You have a web server with a guarantee on no HTTP redirect. You expect > some specific content, typicall "OK" to be there in the proper mime > type. (usually text) If you get different text or a redirect or other > error (eg forbidden) then you assume you're in a captive portal. > > Apple (foolishly) used to use something like http://apple.com/hotspot > on their main site itself, which meant that using a VPN on demand could > never protect apple.com because the iphone had to leave that domain out > of the vpn trigger list or else all hotspot detection would be broken. It > seems they have switched to captive.apple.com with returns "Success". It > has a TTL of 10 (after a CNAME redirect into Akamai) but it is missing > a AAAA record. Guess there aren't many ipv6 captive portals yet :P Using http://apple.com/[anything] is an extra-terrible idea because it's rather fundamentally incompatible with HSTS unless you fudge it client-side to ignore HSTS. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
